c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50

Analysis

max time kernel
93s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2022 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe
Size

146KB
MD5

0cc00c7a3e291a5d7fa675836bc72467
SHA1

2626228708b77bd3de28c0d1677001c1f08ae04d
SHA256

c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50
SHA512

82b38a8f6e5bd68bc110893dca2da8d632c10b69b6efa79717dc29161f19ee2021591dbb9357fa2336fc950e6fe290c832754ea453026e64cff12d4a6b5b6c6e
SSDEEP

3072:b1dlKwgj23+Oz05YoNoz+YUFrdXuC72N4Mia9Ib2IUfAAW:b1dlZro5yU3yuMf6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
648	server.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
648	server.exe
648	server.exe
648	server.exe
648	server.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 648	5012	c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe	80
PID 5012 wrote to memory of 648	5012	c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe	80
PID 5012 wrote to memory of 648	5012	c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe	80
PID 648 wrote to memory of 1996	648	server.exe	46
PID 648 wrote to memory of 1996	648	server.exe	46
PID 648 wrote to memory of 1996	648	server.exe	46
PID 648 wrote to memory of 1996	648	server.exe	46
PID 648 wrote to memory of 1996	648	server.exe	46
PID 648 wrote to memory of 1996	648	server.exe	46

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1996
- C:\Users\Admin\AppData\Local\Temp\c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe
  "C:\Users\Admin\AppData\Local\Temp\c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
051962ed139b40cfb0df9eb6e2472614

SHA1
f06ccb91bc5c9286d1fde8d157e9ef717ec57397

SHA256
2e94ec0996603c6daa4a966e7899c0f72e07283087eaf85653031cf22c129014

SHA512
46404da469d82b8821e7a6f428956e4c57342ec9b4a8ed87c7341034e6e58647e622b086cfa7960edb1d7c71a6b9d73947c64e9ba55456f10a607470bf12934a

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
051962ed139b40cfb0df9eb6e2472614

SHA1
f06ccb91bc5c9286d1fde8d157e9ef717ec57397

SHA256
2e94ec0996603c6daa4a966e7899c0f72e07283087eaf85653031cf22c129014

SHA512
46404da469d82b8821e7a6f428956e4c57342ec9b4a8ed87c7341034e6e58647e622b086cfa7960edb1d7c71a6b9d73947c64e9ba55456f10a607470bf12934a

Download Submit
memory/648-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/648-136-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1996-137-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download